How Will Regulatory Changes Impact Disaster Recovery?
Like this Town Hall? Subscribe to our YouTube Channel.
Author:CSC Town Hall
Disasters are big news. They are disruptive to society, and if an organization or business is in the heart of the trouble, the very survival of the organization is at risk. Implementing a Business Continuity Management (BCM) program remains one of the most value-protecting activities that executive management can support. Governments recognize the value of BCM programs and are progressively developing regulations for them. Our panel discusses the developing trends in regulations for Business Continuity and Disaster Recovery in the United States and across the globe.
How will Regulatory Changes Impact Disaster Recovery?
Disasters are big news for the destruction they cause. An organization that finds itself at the center of a disaster may be at risk for survival. Developing and implementing a business continuity plan is an important task for executives. This CSC Town Hall discussed evolving trends and regulations for business continuity and disaster recovery.
Dan Mikulsky, product manager for business continuity and disaster recovery at CSC, says businesses need a total risk-management system against catastrophic disasters.
"Through business continuity, companies come to understand what is mission-critical to their survival and what risks can cause them to fail to deliver their products and services," Mikulsky says. "That understanding helps them put together a strategy for recovery that, in addition to specific recovery objectives, includes a plan for regular testing."
This area has caught the attention of governments recently, and some have sought to implement regulations, according to Tim Mathews, executive director of enterprise resiliency at ETS, a non-profit educational testing service. Mathews says governments realize that resiliency is an important economic safeguard. "Government wants the private sector and government itself to be able to bounce back faster to provide goods and services and to generate tax revenue," he says. "Government is very interested in the resiliency of communities."
Al Berman, president of Disaster Recovery Institute International, says that governance in continuity occurs at differing levels. Laws are the highest authority and must be followed. Regulations are the next level of authority and carry the weight of law. Industry standards are voluntary requirements that represent best practices within an industry. Certification is a process that a company goes through to verify that it meets the standards for its industry.
Mathews says that as companies develop relationships and partnerships with other companies, questions about continuity and resiliency have to be answered as a natural part of the due diligence process. "When we ask someone, or they ask us 'What level of business continuity do you have?', certification becomes valuable at that point because it establishes a common framework for discussion."
Continuity plans can contain sensitive information, and certification enables a business to satisfy the requirements a client or partner may have without revealing details. "You're essentially saying, 'Our program has been approved by a third party; that should be good enough for you.' And in most cases, it is," Mathews says.
Regulation that governs continuity planning varies by industry. Berman says that certification is helpful if a client requests it, but in industries like finance, much more is required. "The Federal Financial Institutions Examination Council (FFIEC) has very stringent requirements for the banking industry. Their requirements are used by many countries, and they are very effective at improving the resiliency of banks. You have to participate in tests. There's an oversight group. With all the disasters we've had, none has caused a failure in the banking system," Berman says.
Mikulsky says that companies in different regions look to different sources for continuity regulation. "Internationally, there's a heavy reliance on ISO standards. Europeans especially have a respect for certifications. American businesses on the other hand look toward business regulators like FFIEC, HIPAA and others. We have 18 critical infrastructure areas in the U.S. as described by the government. Each one is regulated by different components of the government."
Continuity helps build trust in the brand. "I've talked with some small companies whose continuity plan is to simply go out of business if a disaster occurs. That's fine as long as those you enter into contracts with understand this," Mathews says.
"I think it's clear that events have driven regulation in business continuity and disaster recovery and will continue. When you look at events like 9/11, Katrina and Hurricane Sandy, these were all events that caused people to take this seriously, and caused changes in local or national regulations and legislation. The phone only rings when there's a disaster. When it's quiet, people forget about it," he says.
Other topics discussed during this Town Hall include:
- The hierarchy of laws, regulations and standards
- Qualifications of auditors
- Importance of understanding the scope of certification
- How regulations create a transfer of risk
- The role market forces and insurance premiums play in shaping continuity
- Al Berman, President of DRI International
- Tim Mathews, Executive Director, Enterprise Resiliency, ETS
- Thom Carroll, Delivery Director of Global BC/DR, CSC
- Dan Mikulsky, Product Manager for BC/DR, CSC
- Jeff Caruso, Senior Managing Editor, CSC